Bug 1312097
| Summary: | selinux: semanage dontaudit off and vsftpd together causes crash | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | mheadlee | ||||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mheadlee, mmalik, plautrba, pvrabec, ssekidde | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2017-08-17 07:59:16 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 1393066 | ||||||||||
| Attachments: |
|
||||||||||
(In reply to mheadlee from comment #0) > Description of problem: > > * vsftpd generates boat loads (technical figure) of SELinux denials > which are ignored by dontaudit rules. > * Disabling dontaudit rules causes boat loads of denials to be logged to > audit.log. > * setroubleshoot is run from dbus for each SELinux denial. > * Thousands of setroubleshoots start simultaneously. > * Machine runs out of memory and locks > * Reboot does not fix problem, machine needs to be booted into rescue > and audit.log truncated to fix > > How reproducible: > Always > > Steps to Reproduce: > 1. # yum -y install vsftpd > 2. # semanage dontaudit off > 3. # systemctl start vsftpd > > > Actual results: > System runs out of memory and crashes. > > Expected results: > System doesn't crash. Could you attach examples of these AVCs? Created attachment 1137372 [details]
audit.log from system experiencing the above described issue.
Specifically note "1458216459.180:125" on line 579 when vsftpd is started. System ran out of memory and crashed on line 924.
Created attachment 1137378 [details]
Screenshot of machine before starting vsftpd.
Created attachment 1137380 [details]
Screenshot of machine after starting vsftpd.
Ok so there is no problem with vsftpd in enforcing mode if you have turned dontaudit rules on, right? Based on the last screenshot, the machine swaps heavily (load over 7, kswapd0 process is shown as first in the top output). How much memory does the machine have? Maybe setroubleshoot-server (written python) is consuming too much memory. Related to comment#9, it looks like the issue is with the HW capacity, not issue in selinux-policy. Closing this BZ as NOTABUG. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: * vsftpd generates boat loads (technical figure) of SELinux denials which are ignored by dontaudit rules. * Disabling dontaudit rules causes boat loads of denials to be logged to audit.log. * setroubleshoot is run from dbus for each SELinux denial. * Thousands of setroubleshoots start simultaneously. * Machine runs out of memory and locks * Reboot does not fix problem, machine needs to be booted into rescue and audit.log truncated to fix How reproducible: Always Steps to Reproduce: 1. # yum -y install vsftpd 2. # semanage dontaudit off 3. # systemctl start vsftpd Actual results: System runs out of memory and crashes. Expected results: System doesn't crash.